Tell HN: Passwords (and obscuring them)

8 points

17 years ago

So after the discussions a week or more ago I got interested in one assertion that was regularly made:

  unobscured password entry boxes would encourage users to enter longer passwords

This seemed like a big claim to make with no proof. On one hand it is a strong argument for opening up password input (especially upon first entry) - but if false it is a strong argument against.

I devised a small test which presented visitors with a survey. Each person got a short survey (which was irrelevant) and then were asked for a password and username. Some people recieved obscured fields, others open fields. To add spice they were also randomly given a short piece of text explaining what makes a good password (so there are 4 combinations: obscured, obscured with hints, unobscured, unobscured with hints).

Im still analysing the results and hope to post some insights on my blog soon. But I thought the initial impression would interest HN first.

The first thing to note is that people were amazingly suspicious of it. Encouragingly so. I dont mean people visiting from here (I think I got less than 10 entries via the HN submission - almost all of which were a variation "haha nice try" as the passwor).

But several people who I would consider low skilled computer users found it suspicious and emailed me asking WTF?

At first take up was slow (because it looked like a phishing attack) but once I posted a blog post explaining in a bit more detail things picked up. Also I posted to a couple of communities where I am well known in person (and trusted, I think). They proved great sources of new passwords (as they actually read the intro :)) - and were more successful in convincing friends to try it out.

In the end I have managed about 6500 results. Over half of these I would say are joke or other random entry so I discarded them (this was subjective - but I went with things like ha ha).

I also discarded common nonsense passwords. Of these variations on bobo/bobbob was the MOST common username/password combination). It's a wierd thing - at one point 4 people in a row entered pretty much the same thing.

Right so onto the data. Im first to admit this is a VERY rough shod way to do this (im devising a better test based on this one's feedback) but I think the results are of interest.

Firstly the pages including password hints tended to actually encourage shorter passwords (average length was 6.36 chars compared to 7.84 chars). But what it did do was encourage more varied passwords. Passwords with hints given on the entry page generally had more numbers, had the word jumbled or used caps MORE than pages with no hints.

Both unobscured and obscured pages with no hints exhibited roughly the same complexity in password (though there was a tendancy for unobscured boxes to use capitals more often). The biggest result was in length. Obscured password boxes not only generated longer passwords (on average) than unobscured - the unobscured boxes also generated a LOT more "junk" (asdfd for example). The inference seems to be that "trust" also became an issue - where the obswcured box felt more secure.

Finally the feedback was interesting; overwhelmingly the people I talked to said they found an unobscure password box worrying.

One comment I found summed up the ocerriding feeling (that unobscured feels wrong but they can see the uses in some cases):

hiding it makes me feel more secure, i mean if a site cant be bothered to secure the password entry box god knows what the back-end is like [Wink]

however i have lost count of the amount of times i incorrectly enter my windows password while unlocking my computer [Tongue] being able to see what i type in would stop that but it would only save a few seconds

Ok, so none of this is conclusive or even really usable to draw a full analysis - but i think the results are worth enough to say: it looks like unobscuring password boxes might not have as big an impact as suggested.

Comments?

3 comments